Lateral movement: A crash course

Despite the fact lateral movement has been a frequent factor in security breaches for years, attackers still use it in the vast majority of cyber-attacks. Moving across cloud and on-premises applications and services -- threat actors escalate their way to often unprotected core technical assets -- dropping ransomware, stealing data, poisoning the supply chain and more.

Organizations must start thinking more broadly and implementing solutions to proactively detect and prevent lateral movement attacks in real-time.

The fundamentals of lateral movement

Lateral movement is predominantly caused by attackers subverting interconnected identity infrastructure. From their initial point of compromise -- attackers dump credentials, attack service accounts and exploit Directory Services until they arrive at their destination masquerading as privileged users. This process is repeated until the target data or assets are exfiltrated or exploited -- an inevitable chain reaction.

The blind spots of lateral movement detection

One of the key challenges in lateral movement detection is the blind spots in today’s enterprise networks. Disappearing amongst a torrent of legitimate request data, and often moving between different identity providers -- both in the cloud and on premise -- they can hide in plain sight.

Abusing legitimate compromised credentials, either stolen directly or bought wholesale from the attacker community, leads to initial lateral movements being missed. In addition to this, internal identity infrastructure itself is notoriously difficult to secure and monitor. 

Direct attacks which compromise the way such technologies manage permissions and privileges, such as Kerebroasting and Pass the Hash, often also go unnoticed -- allowing attackers to assign themselves an escalating level of privileges. This problem is compounded by the fact that in a world of hybrid cloud infrastructure -- there is very little consolidation, if any, of identity threat data. Attackers understand these gaps, and gladly step into them.

The final blind spot is on the core assets themselves which are a target for attackers. Legacy applications, databases, servers and core technical infrastructure often lack access controls. MFA, a proven way of managing access, is typically not applied on internal assets -- leaving them exposed. 

Building real-time protection through risk analysis and MFA

Two elements need to work in concert to suffocate lateral movement -- visibility of identity threats and proactive MFA.

First, only by consolidating and analyzing the huge mass of identity data, whether on premises or in the cloud, can organizations start to build a full understanding of what should be trusted, and what is malicious. At such scale, this process needs to be automated and managed by a risk engine capable of understanding a baseline of legitimate requests to spot those which are illicit.

Second, organizations need to re-think authentication. As the perimeter has dissolved and the attack surface shifted to internal assets, MFA remains largely outward facing. Authentication now needs to be wrapped around the assets which attackers use to achieve the greatest impact -- everything from Command Line Interfaces and ICS Systems to core databases, servers and legacy applications.

Only with this twin approach can organizations successfully see and stop the impact of lateral movement, building resilience and reducing risk.

Image Credit: Sergey Nivens / Shutterstock

Yaron Kassner is Co-Founder and CTO of Silverfort.